Funkwhale, security, review wanted 

If you have some knowledge in web security and Content Security Policy, would you mind having a look at ?

This is an attempt to harden the security of the web UI via a CSP (and some additional HTTP headers) and to reduce the attack surface in case of exploits.

#security #funkwhale #helpwanted


Funkwhale, security, review wanted 

@eliotberriot That seems pretty good already. You could:

1) add `frame-ancestors 'none';` and `X-Frame-Options: deny` (the later for backwards compatibility)
2) setup preloaded hsts to disable a whole set of vectors that exist due to backwards compatibility with unencrypted http
3) configure a referrer-policy to prevent leaks of possibly sensitive data in the url

Please don't hesitate to ask if you have further questions or need help.

Funkwhale, security, review wanted 

@sn0int thank you, I'll add your comment as a review to ensure we don't forget this ❤️

Sign in to participate in the conversation – a Fediverse instance for & by the Chaos community